Methods and systems for tracking and recovering assets stolen on distributed ledger-based networks

ABSTRACT

The instant disclosure illustrates how the privacy and security of activities occurring on distributed ledger-based networks (DLNs) can be enhanced with the use of zero-knowledge proofs (ZKPs) that can be used to verify the validity of at least some aspects of the activities without private information related to the activities necessarily being revealed publicly. Methods and systems that are directed at facilitating the tracking and recovery of assets stolen on ZKP-enabled DLNs while preserving the confidentiality of the tokens are presented herein.

CROSS-REFERENCE TO RELATED PATENT APPLICATION

This application is a Divisional of U.S. Nonprovisional application Ser.No. 16/848,296, filed Apr. 14, 2020, titled “Methods and Systems forTracking and Recovering Assets Stolen on Distributed Ledger-BasedNetworks,” now U.S. Pat. No. 11,502,838, which claims priority to andthe benefit of U.S. Provisional Application No. 62/834,352, filed Apr.15, 2019, entitled “Methods and Systems for Tracking and RecoveringAssets Stolen on Distributed Ledger-Based Networks,” which isincorporated herein by reference in its entirety.

FIELD OF THE DISCLOSURE

The instant disclosure illustrates how the privacy and security ofactivities occurring on distributed ledger-based networks (DLNs) can beenhanced with the use of zero-knowledge proofs (ZKPs) that can be usedto verify the validity of at least some aspects of the activitieswithout private information related to the activities necessarily beingrevealed publicly. Methods and systems that are directed at facilitatingthe identification, tracking and recovery of assets stolen onZKP-enabled DLNs while preserving the confidentiality of the tokens arepresented herein.

BACKGROUND

Distributed ledger-based networks (DLNs) dispense with the need for acentral authority to manage the operations of the networks due to theDLNs' transparency and consensus-based verification mechanisms forvalidating actions occurring on the DLNs, which allow participants ofthe networks to trust the accuracy of the validations without thecentral authority. The transparency and consensus-based verificationmechanisms, however, compromise the privacy of the actions and theinvolved parties, as relevant information has to be shared with at leasta substantial portion of the participants of the DLNs for the actions tobe validated.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 shows a distributed ledger-based network configured for use inmanaging and conducting a private transaction between multiple partiesthat are participants of the network, according to some embodiment.

FIG. 2 shows a flow chart illustrating the minting of a token commitmenton a distributed ledger-based network to represent a real world orphysical asset on the distributed ledger-based network, according tosome embodiment.

FIG. 3 shows a flow chart illustrating the generation and submission ofa request for recovery of token commitments stolen or lost on adistributed ledger-based network, according to some embodiment.

SUMMARY

In some embodiments, methods and systems are directed at facilitatingthe identification, tracking and recovery of assets stolen onzero-knowledge proof (ZKP)-enabled distributed ledger-based networks(DLNs) while preserving the confidentiality of the tokens. For example,a method comprises receiving, at a computing node of a DLN and from arequester compute device of a requester, a request for recovery for afirst token commitment representing an asset on the DLN, the first tokencommitment generated via an application of a first hashing function onan asset token identifying the asset, a first public identifier on theDLN of the requester, a first random nonce and a first counting value.The request for recovery can include (1) a second token commitmentgenerated via an application of a second hashing function on the assettoken, a second public identifier on the DLN of the requester, a secondrandom nonce and a second counting value, and (2) a ZKP that (i) a tokencommitments data structure on the DLN that contains token commitmentsapproved for addition onto the DLN includes the first token commitment,and/or (ii) the second token commitment is generated via an applicationof the second hashing function on a group including the asset token usedto generate the first token commitment.

Further, the method can comprise verifying the ZKP in response toreceiving the request for recovery. The method can also comprisereceiving an indication of approval of the request for recovery from anarbitrator compute device of an arbitrator. In addition, the method cancomprise adding, via the computing node, the second token commitmentonto the token commitments data structure in response to the ZKP beingverified and the indication of the approval of the request for recoverybeing received. In some embodiments, the method comprises incrementingby one a public record of a number of approved requests for recoverysubmitted for the asset after the second token commitment is added ontothe token commitments data structure. In such cases, the public recordcan be configured to cloak a publicly identifying information of theasset and/or the asset token. In some embodiments, the method furtherincludes incrementing by one a public record of a number of pendingrequests for recovery submitted for the asset prior to the indication ofapproval of the request for recovery is received from the arbitrator.

In some embodiments, the first public identifier can be a first publickey of the requester on the DLN, and the ZKP can further include the ZKPthat the requester is capable of deriving a private key used to generatethe first public key from a master key that is reserved for deriving theprivate key. Further, the ZKP can also include the ZKP that the firsttoken commitment is generated via the application of the first hashingfunction on the group including the first public key on the DLN of therequester. In some embodiments, the first counting value and the secondcounting value are drawn from a countable set of counting values, thesecond counting value obtained by incrementing the first counting valueby a unit of the countable set.

In some embodiments, the arbitrator may be included within a pluralityof arbitrators, and the indication of approval of the request forrecovery can include a majority vote of the plurality of arbitratorsapproving the request for recovery. In some embodiments, the tokencommitments data structure can be a Merkle tree (i.e., be in the form ofa Merkle tree).

In some embodiments, a method comprises receiving, at a processor, arequest that is configured to cause a representation of an asset on aDLN, the asset identified on the DLN by an asset token. Further, themethod includes generating, in response to the request and via theprocessor, a token commitment to represent the asset on the DLN byhashing a group that includes the asset token and a counting value of acountable set that includes a plurality of counting values configured tocount a number of times a request for recovery is submitted for thetoken commitment, the counting value of the countable set being astarting counting value of the countable set. The method also comprisesinitializing, via the processor, a public record of the number of timesthe request for recovery is submitted for the asset, an initial value ofthe public record uniquely associated with the starting counting value.Further, the method includes providing, via the processor and to aself-executing code segment on the DLN, a ZKP that (1) the tokencommitment is generated by hashing a group that includes the startingvalue of the countable set, and/or (2) the counting value of thecountable set is the starting counting value of the countable set. Inaddition, the method comprises receiving, in response to verification ofthe ZKP by the self-executing code segment, a confirmation confirmingthe representation of the asset by the token commitment on the DLN. Thereceiving the confirmation can occur without an identifying informationof the asset and/or the asset token being revealed on the DLN.

In some embodiments, the ZKP includes that the counting value of thecountable set is obtained from a pre-determined algorithm configured tocompute the starting counting value of the countable set. In someembodiments, the public record is configured to cloak a publiclyidentifying information of the asset and/or the asset token. In someembodiments, the confirmation includes an indication that the tokencommitment is added onto a token commitments data structure on the DLNthat contains token commitments approved for addition onto the DLN.

In some embodiments, a method comprises receiving, at a sender computedevice of a sender and from a recipient computer device of a recipient,a request that is configured to cause a transfer of an asset from thesender to the recipient, the asset represented on a DLN by a first tokencommitment obtained via an application of a first hashing function on agroup that includes an asset token associated with the asset, a publicidentifier on the DLN of the sender and a first counting value. Further,the method comprises generating, in response to the request and via thesender compute device, a second token commitment via an application of asecond hashing function on a group that includes the asset token, apublic identifier on the DLN of the recipient and a second countingvalue, the second counting value being same as the first counting value.The method also comprises sending the second token commitment to aself-executing code segment on the DLN in response to the second tokencommitment being generated. In addition, the method includes generatingvia the sender compute device, a ZKP that (1) the second tokencommitment is generated via the application of the second hashingfunction on the group that includes the asset token, the publicidentifier on the DLN of the recipient and the second counting value,and/or (2) the second counting value is same as the first countingvalue. The method also comprises sending, in response to the ZKP beinggenerated, the ZKP to the self-executing code segment to cause theself-executing code segment verify the ZKP. In addition, the methodcomprises receiving, at the sender compute device and in response toverification of the ZKP by the self-executing code segment, aconfirmation confirming that the second token commitment is added onto atoken commitments data structure of the DLN that contains tokencommitments approved for addition onto the DLN. In some embodiments, theconfirmation includes an indication that the first token commitment isinvalidated as a representation of the asset on the DLN. The receivingthe confirmation can occur without the asset token and/or the assetbeing revealed publicly on the DLN

In some embodiments, a method comprises receiving, at a computing nodeof a DLN, a report identifying a token commitment representing an asseton the DLN as an invalid, the token commitment generated via anapplication of a hashing function on a group that includes an assettoken identifying the asset, a public identifier on the DLN of arecipient of the asset and a first counting value. The report caninclude a ZKP that a second counting value that corresponds to a valueof a public record of a number of approved requests for recoverysubmitted for token commitments representing the asset is greater thanthe first counting value. Further, the method comprises verifying theZKP in response to receiving the report. In addition, the methodincludes generating, via the computing node, and sending, to therecipient, a confirmation confirming that the token commitment isinvalid.

In some embodiments, the ZKP can further include the ZKP that the tokencommitment is generated via the application of the hashing function onthe group that includes the asset token identifying the asset, thepublic identifier on the DLN of the recipient and/or the first countingvalue. The value of the public record of the number of approved requestsfor recovery submitted for the asset can include the value of the publicrecord of the number of requests for recovery submitted for the assetand approved by an arbitrator of requests for recovery.

DETAILED DESCRIPTION

In some embodiments, parties participating in a transaction may elect touse a public distributed ledger-based network (DLN) to document thedetails of the transaction and manage its operations. DLNs can providedecentralized platforms that are transparent to at least all theparticipants of the networks, if not to the public at large, and assuch, can be viewed as consensus-based platforms that facilitate trustbetween transaction participants without the need for a centralauthority to administer the network. For example, parties participatingin a transaction for a sale of a digital music file can use aself-executing code or program (e.g., a smart contract) on the DLN(e.g., a blockchain) to manage the sale of the music file. Theself-executing code or smart contract can regulate the exchange of themusic file and the correct payment for the file between the partieswithout involvement from a third party. In some embodiments, the DLNscan also be used to manage transactions involving physical (e.g.,non-digital) assets. In some implementations, this can be accomplishedby using tokens to represent the assets, and a sale of an asset can berepresented by the transfer of the token representing the asset from oneparty (e.g., the seller) to a second party (e.g., the buyer).

In some embodiments, a DLN can be and/or support a blockchain.Throughout the instant disclosure, in some embodiments, the terms“distributed ledger-based network” and “blockchain network” may be usedinterchangeably. Similarly, in some embodiments, the terms“self-executing code” or “self-executing code segment” and “smartcontract” may be used interchangeably. Further, in some embodiments, theterm “transaction” may be used to refer to off-chain transactions (e.g.,transactions involving the sale of physical or digital assets betweenparties) and/or on-chain representation of these off-chain transactions(e.g., the transaction of tokens that represent the assets on theblockchain network). Whether the term refers to the former or the lattercase should be clear from context. The terms “off-chain” or “off-theDLN” are to be understood to mean “not on the blockchain network” or“not on the DLN.” For example, a statement such as “the application of ahashing function is performed off-the DLN” is to be understood asmeaning “the application of the hashing function is not performed on theDLN (and is performed elsewhere)”.

As noted above, in some embodiments, the trust the distributedledger-based networks provide with no need for a central authorityderives from the transparency of the networks to at least all theparticipants of the network (and in the case of public networks, to thepublic at large). This transparency, however, can reduce or eveneliminate any privacy or confidentiality that participants need or seekwhen interacting with the network or its participants. For example, inthe case of public networks, any interested person can access andinspect the distributed ledgers on the networks to obtain detailedinformation on all transactions that are represented on the ledgerssince the inception of the networks (as the ledgers are, in at leastmost cases, largely immutable). In some implementations, the lack ofprivacy or confidentiality can render the use of a public ledger-basednetwork untenable. For instance, a pharmacy using a public blockchainnetwork to manage the fulfillment of orders for shipment of prescriptiondrugs without a mechanism to conceal at least some aspects of thetransaction would publicly expose personal and health-related data ofits customers (thereby violating their privacy and possibly healthprivacy laws). In some embodiments, zero-knowledge proofs (ZKPs) can beused on ZKP-enabled DLNs to provide enhanced privacy to transactions andrelated accounts on the ZKP-enabled DLNs. For example, as discussedbelow, ZKPs can allow a participant of a ZKP-enabled DLN that has lostasset tokens to theft to report the theft to an arbitrator (e.g., anindependent third party that is engaged by the participant and/ordesignated by multiple participants of the ZKP-enabled DLN 100 to assessrequests for recovery of lost asset tokens, such as but not limited to,an insurer of the asset tokens) without having to disclose theparticipant's identity (e.g., the participant's public key on theZKP-enabled DLN 100), the identity of the lost asset tokens, theidentity of the off-chain assets identified on the ZKP-enabled DLN 100by the lost asset tokens, and/or etc.

In some embodiments, the use of ZKPs in ZKP-enabled DLNs may notcompletely prevent security lapses that result in the misallocation ofasset tokens stored in accounts of the ZKP-enabled DLNs. For example, aprivate key of an account may be accessed by a participant of theZKP-enabled DLNs other than the rightful owner of the account, and theparticipant may transfer ownership of the asset tokens in the accountillegitimately, i.e., without the consent of the rightful owner, to adifferent account not controlled by the rightful owner. The term“rightful owner,” in some implementations, is to be understood asreferring to a participant of a ZKP-enabled DLN 100 that presents avalid request for recovery of a lost asset token (e.g., a claim forindemnity) to an arbitrator such as the afore-mentioned independentthird party tasked with considering and settling the request (e.g., aninsurer of the asset token), where the arbitrator can also be aparticipant of the ZKP-enabled DLN 100. For instance, the rightful ownercan be a participant of the ZKP-enabled DLN 100 that can present, to anarbitrator's satisfaction, evidence of legitimate or legal ownershiprights over the lost asset token. As another example, the assets may betransferred to a different account inadvertently and irreversibly(transferred by the rightful owner or otherwise to an account whoseowner is unwilling or unable to return the assets, for example). In anycase, the security lapses may result in the assets contained within anaccount on a ZKP-enabled DLN 100 being unavailable to the rightful ownerof the account, and the rightful owner may wish to track the lost assettokens and request for their recovery from an arbitrator tasked withreviewing and settling the request.

The rightful owner can, for example, request for recovery of the lostassets by disclosing to the arbitrator, who may be a participant on aZKP-enabled DLN 100, the identities of the rightful owner as well asthose of the lost asset tokens. The rightful owner may make thedisclosure either on the ZKP-enabled DLN 100 or off the ZKP-enabled DLN100. The rightful owner may not wish to claim indemnity on theZKP-enabled DLN 100, however, as the disclosure can reveal privateinformation (e.g., identifying information of the rightful owner as wellas his/her asset tokens and/or off-chain assets identified on theZKP-enabled DLN 100 by the asset tokens) to the public or at least toall participants of the ZKP-enabled DLN. The latter may not be possibleor at least desirable either, as an indemnification claim systemseparate from the ZKP-enabled DLN may not be available, or may be costlyto set up and maintain (in addition to lacking the advantages that areinherent to DLNs such as, but not limited to, decentralization, near orcomplete immutability, auditability and/or the like).

In some embodiments, methods and systems allow a rightful owner of anasset token on a ZKP-enabled DLN 100 to track lost asset tokens andpresent a recovery request for the lost asset tokens to an arbitratorwithout having to reveal personal information related to the rightfulowner, the lost asset tokens (e.g., for which the claim is being made)and/or the off-chain assets identified on the ZKP-enabled DLN 100 by thelost asset tokens. For example, as discussed in detail below, afterdiscovering that an asset token is lost, the rightful owner of the assettoken may generate a ZKP to disclose the loss and prove the rightfulowner's ownership of the asset token to the arbitrator without having toreveal on the ZKP-enabled DLN 100, the identity of the lost asset token,the off-chain assets identified on the ZKP-enabled DLN 100 by the lostasset token, and/or the rightful owner. Further, the rightful owner maygenerate a ZKP to prove to the arbitrator that the request for recoveryis in fact submitted by the rightful owner, again without having toreveal the identity of the rightful owner, the lost asset token and/orthe off-chain asset identified on the ZKP-enabled DLN 100 by the lostasset token. As such, the use of ZKPs on ZKP-enabled DLNs facilitate thetracking of asset tokens lost on ZKP-enabled DLNs, as well as thesubmission of a request for recovery of the lost asset tokens to anarbitrator, while still preserving, at least substantially, the privacyafforded by ZKP-enabled DLNs.

FIG. 1 shows a ZKP-enabled DLN configured for use in managing andrepresenting a private transaction between two parties that areparticipants of the network, in particular a public network, accordingto an embodiment. As shown in FIG. 1 , the ZKP-enabled DLN or blockchainnetwork 100 includes multiple computing nodes 102 a-102 e configured tocommunicate amongst each other via a peer-to-peer (P2P) connection. Insome implementations, the computing nodes 102 a-102 e can each becomputing devices including but not limited to a computer, server,processor, data/information processing machine or system, and/or thelike, and include a data storage system such as a database, memory(volatile and/or non-volatile), etc. In some implementations, the P2Pconnections may be provided by wired and/or wireless communicationssystems or networks (not shown) such as but not limited to the internet,intranet, local area networks (LANs), wide area networks (WANs), etc.,using wireless communication protocols or standards such as WiFi®, LTE®,WiMAX®, and/or the like.

In some embodiments, the ZKP-enabled DLN 100 may include self-executingcodes or smart contracts that are configured to execute upon fulfillmentof conditions that are agreed upon between transacting parties. Forexample, some or all of the computing nodes 102 a-102 e may includecopies of a self-executing code that self-execute upon fulfillment ofthe conditions. In some implementations, the computing nodes 102 a-102 emay communicate amongst each other with the results of the executions oftheir respective self-executing codes, for example, to arrive at aconsensus on the results. In some implementations, one or a few of thecomputing nodes 102 a-102 e may have self-executing codes thatself-execute, and the results for which can be transmitted to the restof the computing nodes 102 a-102 e for confirmation.

In some embodiments, a self-executing code or a smart contract canfacilitate the completion of transactions on the ZKP-enabled DLN 100 byproviding the transacting parties confidence that the other party woulddeliver the promised product or payment. For example, with reference tothe above example related to the sale of a digital music file, a smartcontract can be used to verify that the seller of the file is in fact anowner of the file, the buyer of the music file has adequate resource topay for the music, etc. Further, the smart contract can facilitate theexchange of the music file by allowing the transfer of a payment tooccur only after the transfer of the music file is completed (andvalidated).

In some embodiments, the ZKP-enabled DLN 100 may be linked to one ormore compute device(s) such as oracles (not shown) or data feeds thatprovide external data to the ZKP-enabled DLN 100. In someimplementations, as discussed above, self-executing codes or smartcontracts can automatically execute upon realization of some conditionsof a transaction, and the oracles may provide the data that can be usedto evaluate whether the conditions are met. For example, a transactionmay be contingent on the price of a stock, a weather condition, etc.,and an oracle may provide the requisite information to the smartcontract facilitating the transaction. The smart contract, uponreceiving the information, may self-execute after determining that thecondition for the transaction has been fulfilled. In some embodiments,the oracles may gather information related to the smart contract and/orthe ZKP-enabled DLN 100 (e.g., for use by external systems). Forexample, the oracle may query the state of the smart contractperiodically and register any changes (which may be accessed later bythe external systems). As another example, an execution of the smartcontract may cause changes to the ZKP-enabled DLN 100 or parts thereof(e.g., to a storage system of the ZKP-enabled DLN 100) and the oraclemay query for and register these changes, again for later access by theexternal systems.

In some embodiments, at least a substantial number of the computingnodes 102 a-102 e (e.g., at least greater than 50% of the total numberof computing nodes 102 a-102 e that make up the ZKP-enabled DLN 100)include copies of a distributed ledger 104 a-104 e onto whichtransactions that occur on the network are recorded. The recording ofthe transactions on the distributed ledger 104 a-104 e may occur whensome substantial number of the computing nodes 102 a-102 e, or a subsetthereof, agree on the validity of the transactions. The distributedledger 104 a-104 e can be immutable or nearly immutable in the sensethat to alter the distributed ledger 104 a-104 e, at least thissubstantial number of the computing nodes 102 a-102 e would have toagree, which can be increasingly difficult when the number of computingnodes 102 a-102 e is large (and the distributed ledger 104 a-104 e getslonger).

As noted above, the ZKP-enabled DLN 100 can be used to facilitatetransactions that involve digital assets (e.g., sale of digital musicfiles). In some embodiments, the ZKP-enabled DLN 100 can also be used tofacilitate transactions of assets that occur off-chain or off-line(e.g., transactions of physical assets). In some implementations,off-chain assets can be represented by tokens (e.g., token commitments)on the ZKP-enabled DLN 100, and the sale or transfer of the off-chainassets can be represented on the ZKP-enabled DLN 100 by the transfer ofthe tokens between the blockchain accounts of the transacting parties.In some implementations, the types of tokens used to represent theoff-chain assets can depend on the nature of the assets themselves. Forexample, fungible products (e.g., some amount of gasoline or a currency)can be represented with fungible tokens while non-fungible products(e.g., distinguishable products such as a product with a serial number)can be represented by non-fungible tokens. In some embodiments, tokensmay be stored off-chain, i.e., off of the ZKP-enabled DLN 100. Forexample, tokens may be stored in storage systems or databases that areoff of the ZKP-enabled DLN 100 but linked or coupled with theZKP-enabled DLN 100. For instance, if the ZKP-enabled DLN 100 is aZKP-enabled Ethereum blockchain network, the tokens may be stored in aSwarm database (i.e., a database configured according to the Ethereumstorage protocol). In some embodiments, the tokens may be stored on theZKP-enabled DLN 100 (e.g., in the storage systems associated with thecomputing nodes 102 a-102 e).

In some embodiments, as noted above, transactions that occur on theZKP-enabled DLN 100 (including off-chain transactions that arerepresented on the ZKP-enabled DLN 100 with the use of tokens, forexample) are recorded onto at least a substantial number (e.g., amajority, at least 60%, at least 75%, etc.) of the distributed ledgers104 a-104 e that exist on the ZKP-enabled DLN 100. For example, atransaction between a first transaction participant 110 a and a secondtransaction participant 110 b on the ZKP-enabled DLN 100 representingthe transfer of an off-chain asset (not shown) from the former to thelatter would be recorded on all or nearly all of the distributed ledgers104 a-104 e after at least a substantial number of the participants ofthe ZKP-enabled DLN 100 consent to the transaction being recorded on thedistributed ledgers 104 a-104 e of the ZKP-enabled DLN 100. In the caseof a blockchain network that is not ZKP-enabled, however, the firsttransaction participant 110 a and the second transaction participant 110b are afforded little or no privacy as all or nearly all the details ofthe transaction are made public or are visible to all that have accessto the blockchain network (the public, in case of public blockchains),such details including confidential information on the transactingparticipants, the asset being transacted, the tokens used to representthe asset and the representation of its transfer on the blockchainnetwork, and/or the like. The use of ZKPs in ZKP-enabled DLN 100provides at least enhanced privacy to transactions that occur or arerepresented on ZKP-enabled DLN 100 (e.g., transactions includingrepresentations of transfers of real-world assets, such as but notlimited to non-fungible assets, between participants of the ZKP-enabledDLN 100), as discussed in Applicant's U.S. Provisional Application No.62/719,636, filed Aug. 18, 2018, entitled “Methods and Systems ofZKP-Based Secure PE Transactions on Public Networks,” U.S.Non-Provisional application Ser. No. 16/534,858, filed Aug. 7, 2019,entitled “Methods and Systems for Enhancing Privacy on DistributedLedger-Based Networks”, U.S. Non-Provisional application Ser. No.16/283,452, filed Feb. 2, 2019, entitled “Methods and Systems forenhancing Privacy and Efficiency on Distributed Ledger-Based Networks,”U.S. Non-Provisional application Ser. No. 16/542,701, filed Aug. 16,2019, entitled “Methods and Systems for Implementing Zero-KnowledgeProofs in Transferring Partitioned Tokens on Distributed Ledger-BasedNetworks”, each of which is incorporated by reference herein in itsentirety.

In some embodiments, ZKPs can be used by a first entity, the “prover” or“provider” of the proofs, to convince a second entity, the “verifier” ofthe proofs, that a statement about some secret information is truthfulwithout having to reveal the secret information to the verifier. Forexample, as noted above, ZKPs can be used by a participant of aZKP-enabled DLN that has lost assets or tokens to theft to report thetheft to an arbitrator (e.g., insurer of the assets) without having todisclose the participant's identity (e.g., the participant's public keyon the ZKP-enabled DLN), the identity of the lost assets, and/or etc.ZKPs can be interactive, i.e., require interaction from the prover forthe verifier to verify the truthfulness of the statement. In someembodiments, the ZKPs can be non-interactive, requiring no furtherinteraction from the prover for the verifier to verify the statement.Examples of non-interactive ZKPs include zero-knowledge succinctnon-interactive argument of knowledge (zk-SNARK), zero-knowledgescalable transparent argument of knowledge (zk-STARK), etc. Discussionsof ZKPs can be found in Applicant's U.S. Non-Provisional applicationSer. No. 16/383,845, filed Apr. 15, 2019, entitled “Methods and Systemsfor Identifying Anonymized Participants of Distributed Ledger-BasedNetworks Using Zero-Knowledge Proofs,” which is incorporated byreference herein in its entirety.

FIG. 2 shows a flow chart illustrating the steps of minting a tokencommitment on a ZKP-enabled DLN to represent a real world (e.g.,off-chain) or physical asset on the ZKP-enabled DLN, according to anembodiment. To represent an off-chain transaction for a non-fungibleasset such as the transfer of an off-chain asset from a firsttransaction participant 110 a (referred hereinafter as the sender 110 a)to a second transaction participant 110 b (referred hereinafter as therecipient 110 b) on the ZKP-enabled DLN 100, in some embodiments, thesender 110 a may initially generate, at 202 and using the computing node102 a, an asset identifier that can serve as a unique identifier for theasset while concealing the asset's identity. In some implementations,the asset identifier may be generated in response to a request to havethe non-fungible asset represented on a ZKP-enabled DLN 100 so that theoff-chain transaction of the non-fungible asset can be represented onthe ZKP-enabled DLN 100. In some implementations, the sender 110 a cangenerate, using the computing node 102 a, an alpha-numeric value that isuniquely associated with some identifying parameters (e.g., serialnumbers, model numbers, etc.) of the asset, and the alpha-numeric valuecan be used as the asset identifier that hides the real identity of thenon-fungible physical asset. As another example, a unique assetidentifier can be generated by cryptographically hashing the identifyingparameters of the non-fungible physical asset to generate an asset tokenthat can serve as the unique asset identifier.

In some implementations, the cryptographic hashing computation caninclude the application of a cryptographic hashing algorithm or functionH such as but not limited to the SHA-256 algorithm or function, on theidentifying parameters of the non-fungible physical asset. For instance,if the non-fungible physical asset is a vehicle, an asset token torepresent the vehicle on the ZKP-enabled DLN 100 can be generated byapplying a hashing function (e.g., SHA-256) on one or more of theidentifying parameters of the vehicle such as the vehicle identificationnumber, model type, model year, etc. As a non-limiting example, a uniqueasset identifier or asset token A for a vehicle can be generated bycomputing A=H(VIN), where VIN is the vehicle identification number ofthe vehicle and H is a hashing function or algorithm. Accordingly, theasset token can serve as a unique asset identifier without exposing orrevealing to other participants of the ZKP-enabled DLN 100 any of theidentifying parameters of the asset (e.g., vehicle). In someembodiments, the hashing can occur off the ZKP-enabled DLN 100. Forexample, if the ZKP-enabled DLN 100 is a ZKP-enabled Ethereum blockchainnetwork, in some implementations, the asset token can be generated andstored off the Ethereum blockchain network at a Swarm storagenetwork/database.

At 204, a non-fungible physical asset can be registered or representedon the ZKP-enabled DLN 100 for the first time by generating or minting anon-fungible token commitment that encodes at least some aspects of thenon-fungible asset and/or the ownership of the asset on the ZKP-enabledDLN 100. In some embodiments, minting of a token commitment may refer tothe registration or representation of an asset on the ZKP-enabled DLN100 by a token commitment for the first time. As will be discussedbelow, new token commitments may be generated later to represent anasset that is being represented on the ZKP-enabled DLN 100 by anexisting token commitment. In such cases, however, the asset is beingtransferred to a new owner, and the generation of the new tokencommitment may be accompanied by the invalidation of the existing tokencommitment (which indicates that the asset does not belong to theinitial owner anymore). In any case, whether an asset (e.g.,non-fungible asset) is being registered or represented on theZKP-enabled DLN 100 for the first time by the minting of a tokencommitment or the transfer of the asset from one owner to another isbeing registered on the ZKP-enabled DLN 100 by generation of a new tokencommitment, the initially minted token commitment and/or the new tokencommitment may encode at least some aspects of the asset and/or theownership of the asset. To encode aspects of the non-fungible asset, insome implementations, a cryptographic hashing function or algorithm canbe applied to a unique asset identifier of the asset (e.g., the assettoken) that itself was obtained via an application of a hashing functionon the identifying parameters of the non-fungible asset, as discussed inthe example above. Further, to encode some aspects of the ownership ofthe asset, in some implementations, the cryptographic hashing functioncan also be applied to a public identifier on the ZKP-enabled DLN 100that is associated with the owner (e.g., sender 110 a when the sender110 a is minting the token commitment for the first time). An example ofsuch public identifier includes the public key of the sender on theZKP-enabled DLN 100 (i.e., the public key that is associated with thesender 110 a on the ZKP-enabled DLN 100).

In some embodiments, the cryptographic hashing function can also beapplied to, among other things, a random nonce such as, but not limitedto, a random or serial number that is securely generated and used, atleast in most cases, only once. In some implementations, a nonce Si canbe a randomly chosen number of sufficient length such that theprobability of generating the same number again in a subsequenttransaction is at most infinitesimally small (and as such, may beneglected). For instance, the nonce Si may be a randomly selected256-bit number. As such, the use of a random nonce in generatinganon-fungible token commitment results in the non-fungible tokencommitment being unique, independent of the non-fungible asset (e.g.,encoded by the asset token) and/or its ownership (e.g., encoded by thepublic key) that are also used in generating the non-fungible tokencommitment.

As discussed above, in some embodiments, a token commitment configuredto represent a non-fungible asset on the ZKP-enabled DLN 100 may begenerated by the application of a cryptographic hashing functioncollectively on an asset token identifying the asset, a publicidentifier on the ZKP-enabled DLN 100 of the owner (e.g., rightfulowner) of the asset token and a random nonce. In some embodiments, ingenerating the token commitment, the cryptographic hashing function mayalso be applied to, in addition to the asset token, the publicidentifier and the random nonce, a counting parameter configured for usein counting the number of times that the rightful owner of the assettoken has requested the recovery of the asset token from an arbitratorafter a loss or theft of the asset token, and a request was approved bythe arbitrator. For example, the counting parameter can be an element ofa countable set, examples of which include, whole numbers, naturalnumbers, odd natural numbers, even whole numbers, ordered letters,and/or the like. The use of a counting parameter in generating a tokencommitment may allow participants of the ZKP-enabled DLN 100 todetermine whether the token commitment, and any progeny token commitmentgenerated as a replacement thereof, are stolen or illegitimate tokencommitments, as discussed below.

In some embodiments, the minting of a non-fungible token commitment torepresent an asset ZKP-enabled DLN 100 for the first time may includethe computation of a token commitment Z_(s) as follows: Z_(s)=H(A{circlearound (*)}Pk_(s){circle around (*)}S_(s){circle around (*)}CP_(A)),where A is the asset token identifying the asset (e.g., obtained byhashing, off-chain, at least some identifying parameters of the asset),Pk_(s) is the public key on the ZKP-enabled DLN 100 that is associatedwith the sender 110 a (i.e., the current and rightful owner of theasset), S_(s) is a random nonce selected or generated by the computingnode 102 a of the sender 110 a, CP_(A) is the counting parameter for theasset token A (e.g., the number of times a request for recovery has beenmade for the asset token A and approved by the arbitrator), H is acryptographic hashing function or algorithm (e.g., SHA-256), and {circlearound (*)} represents a combining operator (e.g., the concatenationoperator 1, etc.). As the token commitment Z_(s) for the asset token Ais being minted or generated for the first time, CP_(A) may be set to avalue selected from the countable set that can serve as an initial valuefor CP_(A) (e.g., 0). For example, the initial value for CP_(A) may bedetermined by a pre-determined or pre-approved algorithm of theZKP-enabled DLN 100 that is used by all participants of the ZKP-enabledDLN 100 to determine an initial value for CP_(A) when minting a tokencommitment for an asset token.

In some embodiments, the computation of the token commitment Z_(s) mayinclude application of the hashing function on additional elementsbesides or instead of A, Pk_(s), S_(s) and CP_(A). In some embodiments,the token commitment comprises or consists of A, Pk_(s), S_(s) andCP_(A). In some embodiments, the application of the hashing function incomputing the token commitment Z_(s) allows for the generation orconstruction of the token commitment Z_(s) without revealing theidentities of the preimages of the hashing function H, i.e., withoutrevealing the identities A, Pk_(s), S_(s) and/or CP_(A) on theZKP-enabled DLN 100 (e.g., A, Pk_(s), S_(s) and/or CP_(A) may be keptsecret by the sender 110 a).

After the token commitment is computed, at 206, the sender 110 a mayprovide or publish, anonymously and using the computing node 102 a, thetoken commitment and/or a hash of the asset token A, H(A), to aself-executing code or smart contract on the ZKP-enabled DLN 100 to havethe token commitment minted or registered for the first time on theZKP-enabled DLN 100. Prior to the token commitment being included in thedistributed ledgers 104 a-104 e of the ZKP-enabled DLN 100 as arepresentation of the off-chain asset (e.g., identified by the assettoken A) on the ZKP-enabled DLN 100, however, the sender 110 a may haveto demonstrate to the ZKP-enabled DLN 100 that (1) the token commitmentin fact includes the asset token A, and/or (2) the asset is not alreadyrepresented on the ZKP-enabled DLN 100, i.e., a token commitment is notalready minted for the asset on the ZKP-enabled DLN 100 (e.g., to avoid“double minting,” which can lead to undesirable “double spend” or“double transfer” on the ZKP-enabled DLN 100 of multiple tokencommitments all representing the same asset), according to someembodiments. In some implementations, the sender 110 a may generate andprovide anonymously to the smart contract, using the computing node 102a, a ZKP that the token commitment provided to the smart contractincludes the asset token A. Further, the ZKP may also include a proofthat a hash of the asset token A, H(A), includes the asset token A. Insome implementations, the hash H(A) can be used by the smart contract toverify that the asset is not already represented on the ZKP-enabled DLN100. For example, the smart contract may verify that there has neverbeen an H(A) provided to the smart contract previously (e.g., if theasset has never been represented on the ZKP-enabled DLN 100), and ifthere is one, the token commitment can be rejected for “double-minting.”In some implementations, the hashing of A allows the sender 110 a tohide the identity of the asset token A and/or the off-chain assetidentified by the asset token A from the ZKP-enabled DLN 100 or thesmart contract. The use of H(A) by a smart contract to prevent“double-minting” is discussed in Applicant's U.S. Non-Provisionalapplication Ser. No. 16/534,858, filed Aug. 7, 2019, entitled “Methodsand Systems for Enhancing Privacy on Distributed Ledger-Based Networks”,U.S. Non-Provisional application Ser. No. 16/283,452, filed Feb. 2,2019, entitled “Methods and Systems for enhancing Privacy and Efficiencyon Distributed Ledger-Based Networks,” U.S. Non-Provisional applicationSer. No. 16/542,701, filed Aug. 16, 2019, entitled “Methods and Systemsfor Implementing Zero-Knowledge Proofs in Transferring PartitionedTokens on Distributed Ledger-Based Networks”, each of which isincorporated by reference herein in its entirety.

Further, in some embodiments, the sender 110 a may also generate andprovide anonymously to the smart contract, using the computing node 102a, a ZKP that the initial value that was assigned to CP_(A) whengenerating the token commitment was calculated or determined accordingto the pre-determined algorithm of the ZKP-enabled DLN 100 that wasconfigured for calculating initial CP_(A) values when generating tokencommitments for the first time. For example, the pre-determinedalgorithm can be an algorithm that is agreed upon (e.g., pre-approved)by most or all participants of the ZKP-enabled DLN 100 as the algorithmto be used for determining the values of CP_(A) (including the initialvalue of CP_(A) to be used when calculating Z_(s)=H(A{circle around(*)}Pk_(s){circle around (*)}_(s){circle around (*)}CP_(A)) for an assettoken A for the first time). For instance, the predetermined algorithmmay use the set of whole numbers as the countable set from which tochoose CP_(A) values, and select 0 or any other whole number as theinitial value of CP_(A) to be used when calculating Z_(s). In suchcases, the sender 110 a may generate, using the computing node 102 a, aZKP that Z_(s) was generated using an initial value for CP_(A) that wasdetermined or selected by the pre-determined algorithm.

In some embodiments, the sender 110 a, using the computing node 102 a,provides the above-mentioned ZKPs to the smart contract without havingrevealed the pre-images of the hashing function H that were used ingenerating Z_(s), i.e., without having revealed to the participants ofthe ZKP-enabled DLN 100, the asset token A, the identity of the owner(e.g., the public key or identifier Pk_(s) of the owner), the nonceS_(s) and/or the counting parameter CP_(A). In other words, by usingZKPs, the sender 110 a can present to the ZKP-enabled DLN 100 (e.g., tothe participants and/or the smart contract) proofs that Z_(s) wasgenerated via the application of a hashing function on A, Pk_(s), S_(s)and/or CP_(A) and/or that the initial value for CP_(A) was selectedusing a pre-determined or pre-approved algorithm, without having toreveal on the ZKP-enabled DLN 100 A, Pk_(s), S_(s) and/or CP_(A). Insome implementations, this may also allow the sender 110 a to keepconfidential the identity of the off-chain (e.g., physical) asset thatis represented by Z_(s) on the ZKP-enabled DLN 100. As such, the privacyof the sender 110 a is enhanced or at least maintained as a result ofthe use of ZKPs on the ZKP-enabled DLN 100 when interacting with thesmart contract (e.g., to mint a token commitment) on the ZKP-enabled DLN100.

In some embodiments, at 208, the sender 110 a, using the computing node102 a, may initialize a state variable (e.g., a public state variable)for the counting parameter CP_(A), e.g., CP_(A)*, on the ZKP-enabled DLN100 for use by participants 110 a-110 e of the ZKP-enabled DLN 100 todetermine if token commitments the participants 110 a-110 e received arestolen or illegitimate, as discussed below. In some implementations, thecounting parameters (e.g., one for each asset token) may be stored onthe ZKP-enabled DLN 100 (e.g., the storage systems associated with thecomputing nodes 102 a-102 e) in a data structure which allowsparticipants of the ZKP-enabled DLN 100 to ‘lookup’ the countingparameter for a given asset token (e.g., a ‘hash table’ data structure,or an indexed object). In some implementations, the sender 110 a may notwish to initialize the state variable for CP_(A) (e.g., CP_(A)*) in adata structure which is indexed by the asset token A itself, as thismight reveal asset token A to all participants on the ZKP-enabled DLN100. For example, since the state variable can be a public statevariable, initializing the state variable CP_(A)* with reference to Adirectly (i.e., initializing the state variable CP_(A)* by storing itpublicly as the ‘image’ of a function or hash table applied to Adirectly) can expose the asset token A on the ZKP-enabled DLN 100. Assuch, the state variable for CP_(A) (e.g., CP_(A)*) may be initializedwith a secondary parameter that is related to CP_(A) but hides, cloaksor obfuscates the identity of the asset token A and/or CP_(A). Forexample, a secondary parameter D can be a publicly available parameterthat serves as a representative of the asset token A that hides, cloaksor obfuscates A and which serves as the ‘lookup’ key′ to lookup thecounting parameter CP_(A)* as it is stored on the ZKP-enabled DLN 100.An example of such a representative of the asset token A includes ahashed value of A, e.g., D=H(A), or an encryption of A. In other words,the public state variable for CP_(A) (e.g., CP_(A)*) may be initializedby storing it as the image of some function which takes D as input andoutputs the currently stored value of CP_(A)* on the ZKP-enabled DLN100. In such implementations, an owner of a newly received tokencommitment might receive (e.g., in a communication channel off-the-DLN)from the sender details of all of the values of the ‘pre-image’ of thetoken commitment, including the value of CP_(A) contained therein. Theowner can then compare this value of CP_(A) against the publiclyavailable value CP_(A)* which is stored on the ZKP-enabled DLN 100 (theowner may at first need to determine the representative of the assettoken A (e.g., determine D, which may be obtained by hashing A or byencrypting A) in order to lookup the value of CP_(A)*. In someimplementations, the mapping from a representative of the asset token Ato the counting parameter CP_(A)* can be a public mapping, i.e., amapping that is visible to all participants 110 a-110 e of theZKP-enabled DLN 100 (while the value A remains private or hidden). Thatis, all participants 110 a-110 e of the ZKP-enabled DLN 100 can publiclyaccess the value of CP_(A)*; however, the participants 110 a-110 e maynot be able to associate it with the asset token A unless theparticipants 110 a-110 e have access to the asset token A and/or theparticipants know how to decrypt the value of D to learn A (if anencryption scheme is used), so that the participants 110 a-110 e cancompute D and obtain CP_(A)*.

Upon receiving the token commitment Z_(s), the hash of the asset tokenH(A), and/or other public parameters, and/or the ZKPs, in someembodiments, the self-executing code or smart contract may verify theZKPs, for example, as discussed in Applicant's U.S. Non-Provisionalapplication Ser. No. 16/383,845, filed Apr. 15, 2019, entitled “Methodsand Systems for Identifying Anonymized Participants of DistributedLedger-Based Networks Using Zero-Knowledge Proofs,”, which isincorporated by reference herein in its entirety. In someimplementations, the smart contract may verify the ZKPs to verifystatements included in the ZKPs, such as the statements that H(A)includes A (i.e., the statement that H(A) is obtained by applying ahashing function or algorithm on the asset token A) and the statementthat the token commitment Z_(s) also includes A (i.e., the statementthat Z_(s) is obtained by applying a hashing function or algorithm onthe asset token A). Further, the smart contract may verify that therehas never been an H(A) provided to the smart contract previously (e.g.,if the asset has never been represented on the ZKP-enabled DLN 100). Inaddition, the smart contract may also verify that the initial value ofCP_(A) used in calculating Z_(s) was determined or selected by thepre-determined or pre-approved algorithm. After the verification of theZKPs, in some implementations, the sender 110 a may receive aconfirmation, at 210 and via the computing node 102 a, that the tokencommitment Z_(s) has been approved for addition or inclusion to thecommitments data structure on the ZKP-enabled DLN 100, serving as anindication that the off-chain asset identified with the asset token A isrepresented on the ZKP-enabled DLN 100 by the token commitment Z_(s) andthat the owner is the sender 102 a, identified on the ZKP-enabled DLN100 by the public key Pk_(s) (which is used in generating the tokencommitment Z_(s)). It is to be noted that the token commitment Z_(s) maybe included into the commitments data structure without the identitiesof the asset token A and/or the sender 102 a being revealed publicly oron the ZKP-enabled DLN 100.

In some embodiments, as noted above, the use of the counting parameterCP_(A) in generating a token commitment may allow participants of theZKP-enabled DLN 100 to determine whether the token commitment, and anyprogeny token commitment generated as a replacement thereof, are stolenor illegitimate token commitments. As will be discussed in more detailbelow, when a rightful owner of a lost or stolen token commitment on aZKP-enabled DLN 100 presents a recovery request to an arbitrator (e.g.,or multiple arbitrators) after the loss or theft, and such a request isapproved by the arbitrator, the new replacement token commitment thatmay be minted to replace the lost or stolen commitment may be generatedusing a value for the CP_(A) that is next in the countable set to thevalue of the CP_(A) used in generating the lost or stolen tokencommitment. For example, if a lost token commitment is the first tokencommitment to represent an off-chain asset on the ZKP-enabled DLN 100,then the CP_(A) value used in generating the token commitment may beCP_(A)=0, and a replacement token commitment generated using the nextvalue for the counting parameter (e.g., CP_(A)=1) may then be recognizedon the ZKP-enabled DLN 100 as a legitimate representation of theoff-chain asset (e.g., the smart contract on the ZKP-enabled DLN 100 mayinclude the replacement token commitment into a commitments datastructure on the ZKP-enabled DLN 100 where approved or legitimate or alltoken commitments are stored). In such implementations, the public statevariable of the CP_(A) (e.g., CP_(A)*) stored on the ZKP-enabled DLN 100may also be adjusted to match the counting parameter used in generatingthe replacement token commitment (e.g., CP_(A)* adjusted from 0 to 1).As another example, if the lost token commitment is the third tokencommitment to represent the off-chain asset on the ZKP-enabled DLN 100(e.g., the previous two having been lost or stolen too), the CP_(A)value used in generating the currently lost token commitment can be 2(e.g., the first two token commitments may have been generated usingCP_(A)=0 and 1). Once the rightful owner requests recovery and anarbitrator approves it, a replacement token commitment generated usingthe next value for the counting parameter (e.g., CP_(A)=3) may then berecognized on the ZKP-enabled DLN 100 as a legitimate representation ofthe off-chain asset. Again, in such implementations, the public statevariable of the CP_(A) (e.g., CP_(A)*) stored on the ZKP-enabled DLN 100may also be adjusted to match the counting parameter used in generatingthe replacement token commitment (e.g., CP_(A)* adjusted from 2 to 3).

In such embodiments, participants of the ZKP-enabled DLN 100 may useinformation associated with a counting parameter CP_(A) (e.g., the valueof the counting parameter CP_(A)) used to generate a token commitmentthe participants own or received (which may be a token commitmentgenerated to represent an off-chain asset on a ZKP-enabled DLN 100 forthe first time, or a progeny thereof) to determine whether the tokencommitment is a stolen or illegitimate token commitment. For example,when a recipient 110 b of a token commitment receives on a ZKP-enabledDLN 100 a token commitment and wants to check whether the tokencommitment is legitimate (e.g., not stolen), the recipient 110 b maywish to determine if the CP_(A) used to generate the token commitmentmatches the public state variable for CP_(A) (CP_(A)*) that is availableor stored on the ZKP-enabled DLN 100. In some implementations, asdiscussed above, the recipient 110 b may determine the representative ofthe asset token A that hides or obfuscates A on the ZKP-enabled DLN 100(e.g., calculate D=H(A)) and ‘lookup’ the value of CP_(A)* from a publicmapping from D to CP_(A)*, to arrive at CP_(A)*. The recipient 110 b maythen compare this counting parameter CP_(A)* (e.g., obtained from theZKP-enabled DLN 100) to the counting parameter CP_(A) used to generatethe token commitment (e.g., which, in some cases, may be provided to therecipient 110 b by the sender 110 a via a communications channel that isoff-chain). If the two counting parameters match, then, in someimplementations, the recipient 110 b may determine that the tokencommitment is in fact a legitimate (e.g., not stolen) token commitment.Otherwise, the recipient 110 b may determine that the token commitmentis an illegitimate or stolen token commitment, and report the tokencommitment on the ZKP-enabled DLN 100 as discussed below with referenceto FIG. 3 .

As discussed above, a mismatch between the counting parameter used togenerate a token commitment and the counting parameter stored on theZKP-enabled DLN 100 for that token commitment may be interpreted as anindication that the token commitment is fraudulent, stolen orillegitimate. As such, when an existing token commitment representing anoff-chain asset on the ZKP-enabled DLN 100 is nullified (i.e.,invalidated so that the existing token commitment no longer representsthe off-chain asset on the ZKP-enabled DLN 100) and a new tokencommitment representing the off-chain asset on the ZKP-enabled DLN 100is generated by the sender 110 a to transfer to recipient 110 b as partof a legitimate transaction including the transfer (e.g., sale) of theoff-chain asset from the sender 110 a to the recipient 110 b, in someembodiments, the smart contract may enforce that the counting parameterused to generate the new token commitment remains the same as thecounting parameter used to generate the existing (and nullified) tokencommitment (e.g., by rejecting to include the new token commitment ontothe commitments data structure on the ZKP-enabled DLN 100). That is, ifan existing token commitment is nullified, the smart contract mayenforce that the counting parameter used to generate the new tokencommitment matches the counting parameter stored on the ZKP-enabled DLN100 for the existing token commitment.

As a non-limiting example illustration, in some embodiments, thetransfer of an off-chain asset identified by an asset token A from thesender 110 a to the recipient 110 b can be represented on theZKP-enabled DLN 100 by the generation of the recipient token commitmentZ_(r)=H(A{circle around (*)}Pk_(r){circle around (*)}S_(r){circle around(*)}CP_(A)′) (and inclusion onto the commitments data structure on theZKP-enabled DLN 100 if approved by the smart contract) and thenullification of the existing token commitment Z_(s)=H(A{circle around(*)}Pk_(s){circle around (*)}S_(s){circle around (*)}CP_(A)), where A isthe asset token identifying the asset (e.g., obtained by hashing,off-chain, at least some identifying parameters of the asset), Pk_(r) isthe public key on the ZKP-enabled DLN 100 that is associated with therecipient 110 b, S_(r) is a random nonce (e.g., generated by thecomputing node 102 a of the sender 110 a), CP_(A)′ is a countingparameter for the asset token A (e.g., generated using a pre-determinedor pre-approved algorithm of the ZKP-enabled DLN 100 that is configuredto be used by all participants of the ZKP-enabled DLN 100 to generatecounting parameters when minting token commitments on the ZKP-enabledDLN 100), H is a cryptographic hashing function or algorithm (e.g.,SHA-256), and {circle around (*)} represents a combining operator (e.g.,the concatenation operator |, etc.). Details of the representation, onthe ZKP-enabled DLN 100, of the transfer of off-chain assets, includingthe generation of the recipient token commitment and the nullificationof an existing token commitment, are further discussed in Applicant'sU.S. Non-Provisional application Ser. No. 16/534,858, filed Aug. 7,2019, entitled “Methods and Systems for Enhancing Privacy on DistributedLedger-Based Networks”, U.S. Non-Provisional application Ser. No.16/283,452, filed Feb. 2, 2019, entitled “Methods and Systems forenhancing Privacy and Efficiency on Distributed Ledger-Based Networks,”U.S. Non-Provisional application Ser. No. 16/542,701, filed Aug. 16,2019, entitled “Methods and Systems for Implementing Zero-KnowledgeProofs in Transferring Partitioned Tokens on Distributed Ledger-BasedNetworks”, each of which is incorporated by reference herein in itsentirety.

In some embodiments, the sender 110 a may provide the recipient tokencommitment Z_(r) to the smart contract along with, among other things asdiscussed in the above-identified patent applications, a ZKP thatCP_(A)′=CP_(A). In some implementations, the smart contract allows therecipient token commitment Z_(r) to be added onto the commitments datastructure on the ZKP-enabled DLN 100 after verifying the ZKP, whichindicates that recipient 110 b is the new owner of the asset token A. Ifthe verification of the ZKP fails, on the other hand, in someimplementations, the smart contract may reject the recipient tokencommitment Z_(r) and prevent the addition or inclusion of Z_(r) onto thecommitments data structure. The verification of the ZKP may fail, forexample, if CP_(A)′ does not match CP_(A) (which may also mean CP_(A)′may not match the counting parameter (e.g., CP_(A)*) stored onZKP-enabled DLN 100 for the token commitment Z_(s)). In someimplementations, the smart contract, by verifying the ZKP, may confirmthat CP_(A)′=CP_(A) without directly comparing the CP_(A)′ of Z_(r) withthe CP_(A) of Z_(s). In other words, the use of ZKPs allows the smartcontract to confirm CP_(A)′=CP_(A) without the smart contract havingaccess to the specific values of CP_(A)′ or CP_(A). In someimplementations, the smart contract may not directly compare either ofthe values CP_(A)′ or CP_(A) against the counting parameter CP_(A)*stored on ZKP-enabled DLN 100, as this may require the values of CP_(A)′and/or CP_(A) to be made public, which could leak information relatingto the transfer to participants of the ZKP-enabled DLN 100. In someimplementations, the recipient of the token commitment Z_(r) may querythe current, publicly-stored value of CP_(A)* from the ZKP-enabled DLN100, and compare this against CP_(A)′. In some implementations, equalityin this case may mean the received token commitment Z_(r) is alegitimate representative of the asset token A. The asset token A,however, may be hidden from the smart contract (and from otherparticipants of the ZKP-enabled DLN 100, except the sender 110 a and/orthe recipient 110 b, for example).

Another example of the types of transactions (besides or in addition toasset transfer transactions) where a smart contract may enforce therequirement that the counting parameter used to generate a new tokencommitment matches the counting parameter used to generate an existingtoken commitment includes the burning of a token commitment (torepresent on the ZKP-enabled DLN 100 the off-chain asset is no longerrepresented by the token commitment).

As discussed above, in some embodiments, token commitments may bedetermined to be illegitimate, stolen or fraudulent if the countingparameter used to generate the token commitment fails to match thecounting parameter stored on the ZKP-enabled DLN 100 for the asset tokenwhich the token commitment represents. In some implementations, thecounting parameter stored on the ZKP-enabled DLN 100 counts the numberof times a rightful owner of a token commitment has successfullyrequested for recovery of the token commitment after discovering thatthe token commitment has been stolen or lost. For example, a participant110 d on the ZKP-enabled DLN 100 (hereinafter referred to as “thief”)may obtain the private key of the sender 110 a and proceed withtransferring the ownership of the token commitment Z_(s)=H(A{circlearound (*)}Pk_(s){circle around (*)}S_(s){circle around (*)}CP_(A)) fromthe sender 110 a to himself or herself by nullifying Z_(s) andgenerating and submitting to the smart contract a new token commitmentZ_(t)=H(A{circle around (*)}Pk_(t){circle around (*)}S_(t){circle around(*)}CP_(A)), where Pk_(t) is the public key on the ZKP-enabled DLN 100of the thief 110 d and S_(t) is a random nonce (e.g., generated by thecomputing node 102 d of the thief 110 d). In some implementations, thesmart contract may allow the addition of Z_(t) into the commitments datastructure on the ZKP-enabled DLN 100 after verifying ZKPs required foradding a token commitment onto the commitments data structure (andprovided by the thief 110 d). As another example, the sender 110 a maymistakenly transfer the token commitment Z_(s) to the thief 110 d andthe thief 110 d may not be willing to return the same. In suchinstances, the sender 110 a may request for recovery of the lost orstolen asset from an arbitrator 110 c (e.g., insurer of the lost asset),and if approved by the arbitrator 110 c, the stored counting parametermay be increased by one (or in general, may be changed to the next valueon the countable set used to obtain the counting parameter), asdiscussed below with reference to FIG. 3 .

FIG. 3 shows a flow chart illustrating the generation and submission ofa request for recovery of token commitments stolen or lost on adistributed ledger-based network, according to some embodiment. In someembodiments, at 302, a rightful owner of a token commitment (e.g.,sender 110 a) may discover that the token commitment has been lost orstolen, as discussed above, for example. In such embodiments, therightful owner or sender 110 a may wish to request for recovery of thelost or stolen token commitments from the arbitrator 110 c (e.g., ormultiple arbitrators). In some implementations, to request for recovery,the sender 110 a may have to demonstrate to the arbitrator 110 c thatthe sender 110 a is the true owner of the private key of the account onthe ZKP-enabled DLN 100 from which the token commitment is stolen orlost. That is, at 302, the sender 110 a may have to demonstrate that thesender 110 a is the true owner of the private key that corresponds tothe public key used in generating the lost or stolen token commitment.As such, the sender 110 a may have to demonstrate that the (a) thestolen or lost token commitment is generated using the public key of thesender 110 a, (b) the public key of the sender 110 a is derived oridentified using the private key of the sender 110 a (e.g., the privatekey that compromised and used by the thief 110 d to steal the tokencommitment), and (c) the sender 110 a is in fact the true owner of thisprivate key. For example, at 304, the sender 110 a may have to generatea ZKP that proves, when verified by the smart contract on theZKP-enabled DLN 100, that 110 a i) the sender 110 a knows how to derivethe private key from a secure master key configured for use on theZKP-enabled DLN 100 as the master key from which one or more (e.g., all)private keys of a person's accounts on the ZKP-enabled DLN 100 aregenerated; ii) the public key used to generate the stolen or lost tokencommitment was derived using the private key; and iii) the stolen orlost token commitment was generated using the public key. Further, thesender 110 a may avoid having to publicly reveal the stolen or losttoken commitment by generating a ZKP to prove that iv) the stolen orlost token commitment was stored in the commitments data structure onthe ZKP-enabled DLN 100. In some implementations, the ZKPs can be usedto prove the statements in (i), (ii), (iii) and/or (iv) without havingto disclose or reveal publicly the existence and/or identities of thestolen or lost token commitment, the asset token A, the off-chain assetrepresented on the ZKP-enabled DLN 100 by the stolen or lost tokencommitment and/or the sender 110 a. In some embodiments, the ZKP thatthe sender 110 a has ownership or knowledge of the private key mayinclude other methods in addition to or instead of demonstrating thatthe private key can be generated from a master key.

In some embodiments, it may not be sufficient for the sender 110 a toshow or prove possession of the private key (e.g., the compromisedprivate key) to demonstrate that the sender 110 a is in fact therightful owner of the stolen or lost token commitment as, for example,the thief 110 d may also be in possession of the same private key. Insuch instances, one or more master keys for each participant 110 a-110 eof the ZKP-enabled DLN 100 may be stored in a secure master key databaseor data structure, the master keys being such that one or more of theprivate keys of each participant 110 a-110 e on the ZKP-enabled DLN 100may be derived from the one or more master keys of that participant 110a-110 e via the application of an algorithm (e.g., a pre-determined orpre-approved algorithm that is known or available to the smart contractand/or the off-chain code which facilitates generation of a validzero-knowledge proof of knowledge of a master key which derives theprivate key). In some instances, the secure master key database or datastructure may be stored off of the ZKP-enabled DLN 100. In someinstances, the master key and the private keys of accounts on theZKP-enabled DLN 100 may be stored in separate databases or datastructures. In some implementations, the master keys of the participants110 a-110 e may not be stored in the same master key database or datastructure. For example, each master key for the participant 110 a-110 eof the ZKP-enabled DLN 100 may be stored in separate secure master keydatabase or data structures (e.g., to increase the level of security forthe master keys).

In some embodiments, to demonstrate that the sender 110 a is the trueowner of the compromised private key, the sender 110 a may generate,using the computing node 102 a, a ZKP that the sender 110 a knows how toderive the compromised private key by applying the pre-approved orpre-determined algorithm to one of the one or more the sender's 110 amaster keys. In such embodiments, the use of the ZKP allows the sender110 a to demonstrate that the sender 110 a can derive the private keyfrom a master key without having to publicly reveal the master key onthe ZKP-enabled DLN 100 (e.g., to the smart contract or the otherparticipants on the ZKP-enabled DLN 100). In some implementations, thepre-approved or pre-determined algorithm can be participant-specific,i.e., the algorithm to derive a particular participant's private keysfrom that participant's master key(s) may be unique to the participant(e.g., and may be secure, i.e., may not be visible or available to theother participants of the ZKP-enabled DLN 100). In such implementations,the use of the ZKP allows the sender 110 a to demonstrate that thesender 110 a can derive the private key from a master key without havingto publicly reveal the master key and/or the algorithm used to derivethe private key on the ZKP-enabled DLN 100. In some implementations, thepre-approved or pre-determined algorithm may be enforced by theZKP-enabled DLN 100, i.e., the algorithm to derive all participants'private keys from their master key(s) may be the same. In suchimplementations, the use of the ZKP allows the sender 110 a todemonstrate that the sender 110 a can derive the private key from amaster key without having to publicly reveal the master key used toderive the private key on the ZKP-enabled DLN 100, whilst convincingparticipants that the derivation was correct because the algorithm isenforced to be the same for all participants. In some implementations, aproof of the ZKP by the smart contract on the ZKP-enabled DLN 100 may beviewed as a convincing demonstration that the sender 110 a is in factthe true or rightful owner of the compromised private key, since thethief 110 d or anyone else not approved by the sender 110 a is notlikely to have access to the master key(s) to be able to generate theabove-discussed ZKP.

Further, in some embodiments, the sender 110 a may also generate, usingthe computing node 102 a, the ZKP that the public key used to generatethe stolen or lost token commitment was derived using the compromisedprivate key (e.g., the private key which the sender 110 a demonstratedthey can derive from a secure master key). For example, the sender 110 acan generate, using the computing node 102 a, a ZKP that Pk_(s) may beobtained by hashing the compromised private key, i.e., Pk_(s)=H(Sk_(s)),where Sk_(s) is the compromised private key and Pk_(s) is the public keyused in generating the stolen or lost token commitment Z_(s) (e.g.,Z_(s)=H(A{circle around (*)}Pk_(s){circle around (*)}S_(s){circle around(*)}CP_(A)) as discussed above). In some implementations, the use of theZKP allows the sender 110 a to demonstrate, if the ZKP is verified, thatthe public key of the sender 110 a was derived from the compromisedprivate key without having to publicly reveal the identity of the sender110 a (or the compromised private key).

In addition, in some embodiments, the sender 110 a may also generate,using the computing node 102 a, a ZKP that the stolen or lost tokencommitment was generated using the public key. For example, the sender110 a may generate, using the computing node 102 a, a ZKP that thestolen or lost token commitment is obtained by applying a cryptographichashing function on the public key on the ZKP-enabled DLN 100 of thesender 110 a (e.g., Z_(s)=H(A{circle around (*)}Pk_(s){circle around(*)}S_(s){circle around (*)}CP_(A))). In some embodiments, the sender110 a may not wish to identify to the smart contract or the otherparticipants of the ZKP-enabled DLN 100 the identity of the stolen orlost token commitment. That is, the sender 110 a may wish to demonstratethat the stolen or lost token commitment is generated using the publickey of the sender 110 a without having to identify publicly the stolenor lost token commitment. In such embodiments, the ZKP may include theZKP that the stolen or lost token commitment is one of the tokencommitments stored in the commitments data structure of the ZKP-enabledDLN 100. For example, the ZKP may include the ZKP that the stolen orlost token commitment is a leaf node of a tree structure such as, butnot limited to, a Merkle tree that contains token commitments as leafnodes (e.g., the commitments data structure may be a Merkle tree andtoken commitments submitted to the smart contract by the participants110 a-110 e and approved for addition to the commitments data structureby the smart contract may be stored as leaf nodes of the Merkle tree).Such a ZKP, when verified, may allow the sender 110 a to demonstratethat the stolen or lost token commitment is generated using the publickey of the sender 110 a without having to identify the stolen or losttoken commitment to the smart contract or publicly on the ZKP-enabledDLN 100.

In some embodiments, the above-discussed ZKPs are configured to convincethe arbitrator 110 c, upon verification of the ZKPs, that the sender 110a is in fact the true or rightful owner of the stolen or lost tokencommitment Z_(s). As discussed above, the ZKPs may be provided to thesmart contract as parts of a request for recovery of the tokencommitment from the sender 110 a to an arbitrator 110 c (e.g., insurerof the lost asset, i.e., the off-chain asset identified by the assettoken A). In some embodiments, the request for recovery of the tokencommitment may also include a replacement token commitment to represent,on the ZKP-enabled DLN 100, the same off-chain asset token representedby the stolen or lost token commitment Z_(s). In such embodiments, thesender 110 a may wish for the replacement token commitment to beincluded in the commitments data structure on the ZKP-enabled DLN 100 asthe legitimate token commitment representing the off-chain assetidentified by the asset token A, while the stolen or lost tokencommitment Z_(s) (and any progeny token commitments resulting from thetransferring of Z_(s) (and hence the ownership of the asset token A) viathe generation of a new token commitment on the ZKP-enabled DLN 100through methods discussed in Applicant's U.S. Non-Provisionalapplication Ser. No. 16/534,858, filed Aug. 7, 2019, entitled “Methodsand Systems for Enhancing Privacy on Distributed Ledger-Based Networks”,U.S. Non-Provisional application Ser. No. 16/283,452, filed Feb. 2,2019, entitled “Methods and Systems for enhancing Privacy and Efficiencyon Distributed Ledger-Based Networks,” U.S. Non-Provisional applicationSer. No. 16/542,701, filed Aug. 16, 2019, entitled “Methods and Systemsfor Implementing Zero-Knowledge Proofs in Transferring PartitionedTokens on Distributed Ledger-Based Networks”) is identified on theZKP-enabled DLN 100 as an illegitimate or fraudulent token commitment.Accordingly, at 306, in some embodiments, the sender 110 a, using thecomputing node 102 a, may generate or mint a replacement tokencommitment and a ZKP that, among other things, the replacement tokencommitment is obtained via an application of a hashing function on thesame asset token A (e.g., the asset token A used in generating thestolen or lost token commitment). Further, the ZKP may also include theZKP that the counting parameter used in generating the replacement tokencommitment is next in the countable set to the value of the CP_(A) usedin generating the lost or stolen token commitment (e.g., incrementedfrom CP_(A) by a unit of the countable set).

In some embodiments, the replacement token commitment configured torepresent, on the ZKP-enabled DLN 100, the asset identified by the sameasset token A may be computed as follows: Z_(s)'=H(A{circle around(*)}Pk_(s)′{circle around (*)}S_(s)′{circle around (*)}CP_(A)++), where,Pk_(s)′ is a new public key on the ZKP-enabled DLN 100 of the sender 110a, S_(s)′ is a random nonce (e.g., generated by the computing node 102 aof the sender 110 a) and CP_(A)++ is a counting parameter for the assettoken A incremented from CP_(A) (e.g., to indicate that an additionalrequest for recovery has been submitted to the smart contract for theasset identified by the asset token A), H is a cryptographic hashingfunction or algorithm (e.g., SHA-256), and {circle around (*)}represents a combining operator (e.g., the concatenation operator |,etc.). In some implementations, the sender 110 a may obtain CP_(A)++ byfirst accessing CP_(A) from the ZKP-enabled DLN 100, as discussed above,and then identifying the next counting parameter in the pre-agreedsequence of counting parameters. In some implementations, the sender 110a may obtain CP_(A)++ by first accessing CP_(A) from their privatedatabase (e.g., and double-check its correctness by calculating H(A, Pk,S, CP_(A)) again and comparing the resulting value against Z_(s)), andthen identifying the next counting parameter in the pre-agreed sequenceof counting parameters. In some implementations, Pk_(s)′ can bedifferent than Pk_(s), the public keys used in generating the stolen orlost token commitment Z_(s), because the sender 110 a may obtain a newpublic key-private key pair to generate the replacement token commitmentZ_(s)′ (e.g., since the private key corresponding to the public keyPk_(s) was compromised, i.e., accessed by the thief 110 d). In someembodiments, the computation of the token commitment Z_(s)′ may includeapplication of the hashing function on additional elements besides orinstead of A, Pk_(s)′, S_(s)′ and CP_(A)++. In some embodiments, thetoken commitment comprises or consists of A, Pk_(s)′, S_(s)′ andCP_(A)++. In some embodiments, the application of the hashing functionin computing the replacement token commitment allows for the generationor construction of the replacement token commitment without revealingthe identities of the preimages of the hashing function H, i.e., withoutrevealing the identities A, Pk_(s)′, S_(s)′ and CP_(A)++ on theZKP-enabled DLN 100 (e.g., A, Pk_(s)′, S_(s)′ and CP_(A)++ may be keptsecret by the sender 110 a).

In some embodiments, if the recovery request is approved by thearbitrator 110 c and the replacement token commitment is added into thecommitments data structure on the ZKP-enabled DLN 100, the countingparameter for the asset token A stored on the ZKP-enabled DLN 100 mayalso be incremented to match the counting parameter used to generate thereplacement token commitment. That is, the counting parameter for theasset token A stored on ZKP-enabled DLN 100 (e.g., CP_(A)*) may beincremented to match CP_(A)++ since Z_(s)′ is now the newly approvedtoken commitment that represents, on the ZKP-enabled DLN 100, the assetidentified by the asset token A. As discussed above, a later mismatchbetween the counting parameter used in generating a token commitment torepresent an asset identified by an asset token and the countingparameter stored on the ZKP-enabled DLN 100 (CP_(A)*) for that assettoken can serve as an indication of the illegitimacy of the tokencommitment. As such, the mismatch between the counting parameter used togenerate the stolen or lost token commitment to represent the assettoken A, i.e., CP_(A), and the counting parameter stored on theZKP-enabled DLN 100 for that same asset token A, i.e., CP_(A)* which hasbeen incremented to equal CP_(A)++, may serve as an indication, to allparticipants of the ZKP-enabled DLN 100, that the stolen or lost tokencommitment is illegitimate.

In some embodiments, as discussed above, the relationship between theasset token A and its counting parameter CP_(A)* (which is stored on theZKP-enabled DLN 100) may not be publicly visible or available as thatmay require the asset token A to be exposed or revealed. The privacy orconfidentiality of the asset token A may be protected via the use of arepresentative of the asset token A that hides, cloaks or obfuscates Aon the ZKP-enabled DLN 100, an example of such a representativeincluding a hashed value of A, i.e., D=H(A). In some implementations,the representative D of the asset token A may be linked to the countingparameter CP_(A)* on the ZKP-enabled DLN 100, so that not allparticipants of the ZKP-enabled DLN 100 can learn information relatingto the asset token A, such as that the asset token A is beingrepresented on the ZKP-enabled DLN 100, or the value of the countingparameter of A. In some implementations, the counting parameter for theasset token A which is stored on the ZKP-enabled DLN 100 (CP_(A)*) maybe incremented to match the counting parameter CP_(A)++ of a replacementtoken commitment representing the asset token A, as discussed above(e.g., after the arbitrator 110 c approves the recovery request). Insuch implementations, an owner of the replacement token commitment (andowners of any progeny token commitments of this replacement tokencommitment) that wishes to determine the counting parameter used togenerate the replacement token commitment may at first determine therepresentative of the asset token A (e.g., determine D, which may beobtained by hashing A), and then query the value of CP_(A)* which isassociated with D from the ZKP-enabled DLN 100, to obtain CP_(A)*. Insome implementations, the relationship between D and CP_(A)* can be apublic mapping, i.e., it can be a mapping that is visible to allparticipants 110 a-110 e of the ZKP-enabled DLN 100 (while the assettoken A remains private or hidden). That is, all participants 110 a-110e of the ZKP-enabled DLN 100 can publicly access the value of CP_(A)*;however, the participants 110 a-110 e may not be able to identify thatthe value CP_(A)* related to the asset token A unless the participants110 a-110 e have access to the asset token A so that the participants110 a-110 e can compute D and use a publicly available mapping (on theZKP-enabled DLN 100) from D to CP_(A)*, to obtain CP_(A)*.

As noted above, in some embodiments, for transactions that are differentfrom a request for recovery of a stolen or lost token commitment (e.g.,transactions such as transferring and/or burning of a token commitment,etc.), the smart contract on the ZKP-enabled DLN 100 may prevent theaddition, to the token commitments data structure, of a new tokencommitment provided to the smart contract to replace an existing tokencommitment if the counting parameter used to generate the new tokencommitment is different from the counting parameter used to generate theexisting token commitment. For example, if the sender 110 a transfers atoken commitment to a recipient, the smart contract may not allow newlygenerated token commitment, owned by the recipient, to be added into thecommitments data structure unless the newly generated token commitmentis generated using the same counting parameter as the original tokencommitment, owned by the sender. In such implementations, if theoriginal token commitment is an illegitimate token commitment (e.g.,because its counting parameters fails to match the counting parameterstored on the ZKP-enabled DLN 100 (e.g., CP_(A)*), then the progenytoken commitment (e.g., the newly generated token commitment, owned bythe recipient) can also be identified as illegitimate by the recipientsince the recipient's token commitment shares the same countingparameter as its parent token commitment. As such, when the sender 110 asubmits to an arbitrator a recovery request for a stolen or lost tokencommitment as discussed above and the recovery request is approved, thennot only the stolen or lost token commitment but also any progeny tokencommitments may be identified as illegitimate or stolen.

In some embodiments, at 308, the sender 110 a may provide the requestfor recovery of the stolen or lost token commitment that includes one ormore ZKPs to the smart contract on the ZKP-enabled DLN 100. In someimplementations, the smart contract may then verify the ZKPs and availthe recovery request to the arbitrator 110 c for approval (or denial).In some implementations, the deliberation of the recovery request may becarried out off-chain. For example, the arbitrator may determine whetherthe recovery request meets the arbitrator's requirements for approval(e.g., the stolen or lost token commitment is in fact stolen or lost,the sender 110 a that submitted the request has no culpability, etc.).In some embodiments, at 310, the arbitrator 110 c may inform the sender110 a, either on-chain and/or off-chain, of the status of the recoveryrequest. If the request for recovery is rejected by the arbitrator 110c, in some embodiments, the smart contract may prevent the addition ofthe replacement token commitment onto the commitments data structure onthe ZKP-enabled DLN 100. In some embodiments, the recovery request maybe approved by the arbitrator 110 c and the smart contract may allow theaddition of the replacement token commitment onto the commitments datastructure and the counting parameter stored on the ZKP-enabled DLN 100may be adjusted (e.g., incremented) to match the counting parameter usedto generate the replacement token structure. For example, if the stolenor lost token commitment is Z_(s)=H(A{circle around (*)}Pk_(s){circlearound (*)}S_(s){circle around (*)}CP_(A)), then the counting parameterstored on the ZKP-enabled DLN 100 may be CP_(A)*. After the arbitrator110 c approves the recovery request that includes a replacement tokencommitment Z_(s)′=H(A{circle around (*)}Pk_(s)′{circle around(*)}S_(s)′{circle around (*)}CP_(A)++), however, the stored countingparameter CP_(A)* may be adjusted to match CP_(A)++, and since CP_(A)*may be visible to all participants 110 a-110 e of the ZKP-enabled DLN100, they may consult the value of CP_(A)* when determining if aparticular token commitment is legitimate or not, as discussed above.

In some embodiments, there can be multiple arbitrators. In someimplementations, there can be multiple publicly available countingparameters (e.g., multiple CP_(A)* parameters) for each asset token A,each with a publicly available counting parameter CP_(A),* associatedwith an arbitrator (e.g., denoted i). For example, CP_(A), can be amapping from {D=H(A) Pk_(i)} to CP_(Ai)*, where Pk_(i) is the public keyof the arbitrator i. In such implementations, publicly availablecounting parameters CP_(Ai)* that are associated with arbitrators thatapprove the recover request may be adjusted or incremented, while thepublicly available counting parameters CP_(Ai)* that are associated witharbitrators that do not approve the recovery request may remain thesame. The participants 110 a-110 e of the ZKP-enabled DLN 100 thatconsult the publicly available counting parameters to determine whethera token commitment may be legitimate or not may have to decide whicharbitrator(s) to believe.

In some instances, a time lag can exist between when a request forrecovery of a stolen or lost token commitment is submitted on theZKP-enabled DLN 100 and a decision by an arbitrator or arbitrators isrendered. In such instances, it may be useful to indicate on theZKP-enabled DLN 100 that there is a pending request for recovery of astolen or lost token commitment, so that participants 110 a-110 e of theZKP-enabled DLN 100 may be on guard against a possibly illegitimatetoken commitment. In such cases, there can be a pending publiclyavailable counting parameter PCP_(A)* that is the same in all respectsas CP_(A)*, except that PCP_(A)* is incremented when a request forrecovery of a stolen or lost token commitment is submitted on theZKP-enabled DLN 100 (as opposed to when the request is approved by anarbitrator in the case of CP_(A)*, for example). If the request isrejected, in some cases, PCP_(A)* may be decremented; if the request isapproved, the incremented PCP_(A)* remains.

In some embodiments, as discussed above, a new owner or recipient of atoken commitment Z_(r)=H(A{circle around (*)}Pk_(r){circle around(*)}S_(r){circle around (*)}CP_(A)) configured to represent on theZKP-enabled DLN 100 an off-chain asset that is identified by the assettoken A may access the counting parameter for that asset token A that isstored on the ZKP-enabled DLN 100 to compare CP_(A) to the storedcounting parameter (CP_(A)*) and determine whether Z_(r) is a legitimatetoken commitment. For example, the new owner or recipient may initiallycalculate D=H(A), and use the publicly available mapping that maps D tothe stored counting parameter CP_(A)* to arrive at the stored countingparameter CP_(A)*. In some implementations, CP_(A) may be different fromthe stored counting parameter CP_(A)* (e.g., the latter has already beenincremented because a rightful owner has claimed it as stolen or lostand has submitted a recovery request, and an arbitrator has approved therequest for recovery), indicating to the new owner or recipient that thetoken commitment Z_(r) is an illegitimate token commitment. In suchimplementations, the new owner or recipient may use a computing nodethat is part of the ZKP-enabled DLN 100 to generate and submit a ZKP toa smart contract to report the receipt of an illegitimate tokencommitment. For example, the ZKP can include the ZKP that (i) the newowner or recipient is in fact an owner of the token commitment Z_(r);(ii) token commitment Z_(r) is one of the token commitments stored inthe commitments data structure of the ZKP-enabled DLN 100; and/or (iii)an arbitrator has determined that token commitment Z_(r) is in factillegitimate.

In some embodiments, the ZKP that new owner or recipient is in fact anowner of token commitment Z_(r) may include the ZKP that the new owneror recipient is an owner of the private key that allows the transfer oftoken commitment Z_(r). For example, the ZKP can prove, when verified bythe smart contract on the ZKP-enabled DLN 100, that the owner orrecipient is in possession of the private key that corresponds to thepublic key Pk_(r) that was used in generating token commitment Z_(r).

In some embodiments, the ZKP that the token commitment Z_(r) is one ofthe token commitments stored in the commitments data structure of theZKP-enabled DLN 100 may include the ZKP that the token commitment Z_(r)is a leaf node of a tree structure such as, but not limited to, a Merkletree that contains token commitments as leaf nodes. For example, thecommitments data structure may be a Merkle tree and token commitmentssubmitted to the smart contract by the participants 110 a-110 e of theZKP-enabled DLN 100 and approved for addition to the commitments datastructure by the smart contract may be stored as leaf nodes of theMerkle tree. In such implementations, the ZKP may include the ZKP thatthe token commitment Z_(r) is stored as a leaf node of the Merkle tree.

In some embodiments, the ZKP that an arbitrator has determined thattoken commitment Z_(r) is in fact an illegitimate token commitment mayinclude the ZKP that the counting parameter CP_(A) used in generatingZ_(r) fails to match the counting parameter stored in the countingparameter tracking data structure on ZKP-enabled DLN 100 for that assettoken A (e.g., the stored counting parameter has been incremented overor exceeds CP_(A)). Upon receiving and verifying the above-noted ZKPs,in some embodiments, the smart contract may notify the participants ofthe ZKP-enabled DLN 100 that the token commitment Z_(r) is in fact anillegitimate token commitment. In some implementations, the use of theZKPs allows the new owner or recipient to report the illegitimate tokencommitment without having to identify Z_(r), A, Pk_(r), S_(r) and/orCP_(A) to the smart contract or publicly on the ZKP-enabled DLN 100.

While various embodiments have been described and illustrated herein,one will readily envision a variety of other means and/or structures forperforming the function and/or obtaining the results and/or one or moreof the advantages described herein, and each of such variations and/ormodifications is deemed to be within the scope of the embodimentsdescribed herein. More generally, one will readily appreciate that allparameters, dimensions, materials, and configurations described hereinare meant to be exemplary and that the actual parameters, dimensions,materials, and/or configurations will depend upon the specificapplication or applications for which the teachings is/are used. Onewill recognize, or be able to ascertain using no more than routineexperimentation, many equivalents to the specific embodiments describedherein. It is, therefore, to be understood that the foregoingembodiments are presented by way of example only and that, within thescope of the disclosure, including the appended claims and equivalentsthereto, disclosed embodiments may be practiced otherwise than asspecifically described and claimed. Embodiments of the presentdisclosure are directed to each individual feature, system, tool,element, component, and/or method described herein. In addition, anycombination of two or more such features, systems, articles, elements,components, and/or methods, if such features, systems, articles,elements, components, and/or methods are not mutually inconsistent, isincluded within the scope of the present disclosure.

The above-described embodiments can be implemented in any of numerousways. For example, embodiments may be implemented using hardware,software or a combination thereof. When implemented in software, thesoftware code can be stored (e.g., on non-transitory memory) andexecuted on any suitable processor or collection of processors, whetherprovided in a single computer or distributed among multiple computers.

Further, it should be appreciated that a computer may be embodied in anyof a number of forms, such as a rack-mounted computer, a desktopcomputer, a laptop computer, netbook computer, or a tablet computer.Additionally, a computer may be embedded in a device not generallyregarded as a computer but with suitable processing capabilities,including a smart phone, smart device, or any other suitable portable orfixed electronic device.

Also, a computer can have one or more input and output devices. Thesedevices can be used, among other things, to present a user interface.Examples of output devices that can be used to provide a user interfaceinclude printers or display screens for visual presentation of outputand speakers or other sound generating devices for audible presentationof output. Examples of input devices that can be used for a userinterface include keyboards, and pointing devices, such as mice, touchpads, and digitizing tablets. As another example, a computer can receiveinput information through speech recognition or in other audible format.

Such computers can be interconnected by one or more networks in anysuitable form, including a local area network or a wide area network,such as an enterprise network, and intelligent network (IN) or theInternet. Such networks can be based on any suitable technology and canoperate according to any suitable protocol and can include wirelessnetworks, wired networks or fiber optic networks.

The various methods or processes outlined herein can be coded assoftware that is executable on one or more processors that employ anyone of a variety of operating systems or platforms. Additionally, suchsoftware can be written using any of a number of suitable programminglanguages and/or programming or scripting tools, and also can becompiled as executable machine language code or intermediate code thatis executed on a framework or virtual machine.

In this respect, various disclosed concepts can be embodied as acomputer readable storage medium (or multiple computer readable storagemedia) (e.g., a computer memory, one or more floppy discs, compactdiscs, optical discs, magnetic tapes, flash memories, circuitconfigurations in Field Programmable Gate Arrays or other semiconductordevices, or other non-transitory medium or tangible computer storagemedium) encoded with one or more programs that, when executed on one ormore computers or other processors, perform methods that implement thevarious embodiments of the disclosure discussed above. The computerreadable medium or media can be transportable, such that the program orprograms stored thereon can be loaded onto one or more differentcomputers or other processors to implement various aspects of thepresent disclosure as discussed above.

The terms “program” or “software” are used herein in a generic sense torefer to any type of computer code or set of computer-executableinstructions that can be employed to program a computer or otherprocessor to implement various aspects of embodiments as discussedabove. Additionally, it should be appreciated that according to oneaspect, one or more computer programs that when executed perform methodsof the present disclosure need not reside on a single computer orprocessor, but can be distributed in a modular fashion amongst a numberof different computers or processors to implement various aspects of thedisclosure.

Computer-executable instructions can be in many forms, such as programmodules, executed by one or more computers or other devices. Generally,program modules include routines, programs, objects, components, datastructures, etc. that perform particular tasks or implement particularabstract data types. Typically the functionality of the program modulescan be combined or distributed as desired in various embodiments.

Also, data structures can be stored in computer-readable media in anysuitable form. For simplicity of illustration, data structures may beshown to have fields that are related through location in the datastructure. Such relationships can likewise be achieved by assigningstorage for the fields with locations in a computer-readable medium thatconvey relationship between the fields. However, any suitable mechanismcan be used to establish a relationship between information in fields ofa data structure, including through the use of pointers, tags or othermechanisms that establish relationship between data elements.

Also, various concepts can be embodied as one or more methods, of whichan example has been provided. The acts performed as part of the methodmay be ordered in any suitable way. Accordingly, embodiments can beconstructed in which acts are performed in an order different thanillustrated, which can include performing some acts simultaneously, eventhough shown as sequential acts in illustrative embodiments. Allpublications, patent applications, patents, and other referencesmentioned herein are incorporated by reference in their entirety.

All definitions, as defined and used herein, should be understood tocontrol over dictionary definitions, definitions in documentsincorporated by reference, and/or ordinary meanings of the definedterms.

The indefinite articles “a” and “an,” as used herein in thespecification and in the claims, unless clearly indicated to thecontrary, should be understood to mean “at least one.”

The phrase “and/or,” as used herein in the specification and in theclaims, should be understood to mean “either or both” of the elements soconjoined, i.e., elements that are conjunctively present in some casesand disjunctively present in other cases. Multiple elements listed with“and/or” should be construed in the same fashion, i.e., “one or more” ofthe elements so conjoined. Other elements may optionally be presentother than the elements specifically identified by the “and/or” clause,whether related or unrelated to those elements specifically identified.Thus, as a non-limiting example, a reference to “A and/or B”, when usedin conjunction with open-ended language such as “comprising” can refer,in one embodiment, to A only (optionally including elements other thanB); in another embodiment, to B only (optionally including elementsother than A); in yet another embodiment, to both A and B (optionallyincluding other elements); etc.

As used herein, “or” should be understood to have the same meaning as“and/or” as defined above. For example, when separating items in a list,“or” or “and/or” shall be interpreted as being inclusive, i.e., theinclusion of at least one, but also including more than one, of a numberor list of elements, and, optionally, additional unlisted items. Onlyterms clearly indicated to the contrary, such as “only one of” or“exactly one of,” or, when used in claims, “consisting of,” will referto the inclusion of exactly one element of a number or list of elements.In general, the term “or” as used herein shall only be interpreted asindicating exclusive alternatives (i.e. “one or the other but not both”)when preceded by terms of exclusivity, such as “either,” “one of” “onlyone of” or “exactly one of” “Consisting essentially of,” when used inclaims, shall have its ordinary meaning as used in the field of patentlaw.

As used herein, the phrase “at least one,” in reference to a list of oneor more elements, should be understood to mean at least one elementselected from any one or more of the elements in the list of elements,but not necessarily including at least one of each and every elementspecifically listed within the list of elements and not excluding anycombinations of elements in the list of elements. This definition alsoallows that elements may optionally be present other than the elementsspecifically identified within the list of elements to which the phrase“at least one” refers, whether related or unrelated to those elementsspecifically identified. Thus, as a non-limiting example, “at least oneof A and B” (or, equivalently, “at least one of A or B,” or,equivalently “at least one of A and/or B”) can refer, in one embodiment,to at least one, optionally including more than one, A, with no Bpresent (and optionally including elements other than B); in anotherembodiment, to at least one, optionally including more than one, B, withno A present (and optionally including elements other than A); in yetanother embodiment, to at least one, optionally including more than one,A, and at least one, optionally including more than one, B (andoptionally including other elements); etc.

All transitional phrases such as “comprising,” “including,” “carrying,”“having,” “containing,” “involving,” “holding,” “composed of,” and thelike are to be understood to be open-ended, i.e., to mean including butnot limited to. Only the transitional phrases “consisting of” and“consisting essentially of” shall be closed or semi-closed transitionalphrases, respectively, as set forth in the United States Patent OfficeManual of Patent Examining Procedures, Section 2111.03.

The invention claimed is:
 1. A method, comprising: receiving, at aprocessor, a request that is configured to cause a representation of anasset on a distributed ledger-based network (DLN), the asset identifiedon the DLN by an asset token; generating, in response to the request andvia the processor, a token commitment to represent the asset on the DLNby hashing a group that includes the asset token and a counting value ofa countable set that includes a plurality of counting values configuredto count a number of times a request for recovery is submitted for thetoken commitment, the counting value of the countable set being astarting counting value of the countable set; initializing, via theprocessor, a public record of the number of times the request forrecovery is submitted for the asset, an initial value of the publicrecord uniquely associated with the starting counting value; providing,via the processor and to a self-executing code segment on the DLN, azero-knowledge proof (ZKP) that (1) the token commitment is generated byhashing a group that includes the starting value of the countable set,and/or (2) the counting value of the countable set is the startingcounting value of the countable set; and receiving, in response toverification of the ZKP by the self-executing code segment, aconfirmation confirming the representation of the asset by the tokencommitment on the DLN.
 2. The method of claim 1, wherein the ZKPincludes that the counting value of the countable set is obtained from apre-determined algorithm configured to compute the starting countingvalue of the countable set.
 3. The method of claim 1, wherein the publicrecord is configured to cloak a publicly identifying information of theasset and/or the asset token.
 4. The method of claim 1, wherein thereceiving the confirmation occurs without an identifying information ofthe asset and/or the asset token being revealed on the DLN.
 5. Themethod of claim 1, wherein the confirmation includes an indication thatthe token commitment is added onto a token commitments data structure onthe DLN that contains token commitments approved for addition onto theDLN.
 6. The method of claim 1, wherein: the confirmation includes anindication that the token commitment is added onto a token commitmentsdata structure on the DLN that contains token commitments approved foraddition onto the DLN, and the token commitments data structure is aMerkle tree.
 7. The method of claim 1, wherein the providing the ZKPincludes providing the ZKP that (1) the token commitment is generated byhashing the group that includes the starting value of the countable set,and (2) the counting value of the countable set is the starting countingvalue of the countable set.
 8. A non-transitory, processor-readablemedium storing instructions that when executed to cause a processor to:receive, at a processor, a request that is configured to cause arepresentation of an asset on a distributed ledger-based network (DLN),the asset identified on the DLN by an asset token; generate, in responseto the request and via the processor, a token commitment to representthe asset on the DLN by hashing a group that includes the asset tokenand a counting value of a countable set that includes a plurality ofcounting values configured to count a number of times a request forrecovery is submitted for the token commitment, the counting value ofthe countable set being a starting counting value of the countable set;initialize, via the processor, a public record of the number of timesthe request for recovery is submitted for the asset, an initial value ofthe public record uniquely associated with the starting counting value;provide, via the processor and to a self-executing code segment on theDLN, a zero-knowledge proof (ZKP) that (1) the token commitment isgenerated by hashing a group that includes the starting value of thecountable set, and/or (2) the counting value of the countable set is thestarting counting value of the countable set; and receive, in responseto verification of the ZKP by the self-executing code segment, aconfirmation confirming the representation of the asset by the tokencommitment on the DLN.
 9. The processor-readable medium of claim 8,wherein the ZKP includes that the counting value of the countable set isobtained from a pre-determined algorithm configured to compute thestarting counting value of the countable set.
 10. The processor-readablemedium of claim 8, wherein the public record is configured to cloak apublicly identifying information of the asset and/or the asset token.11. The processor-readable medium of claim 8, wherein the instructionsto receive the confirmation occurs without an identifying information ofthe asset and/or the asset token being revealed on the DLN.
 12. Theprocessor-readable medium of claim 8, wherein the confirmation includesan indication that the token commitment is added onto a tokencommitments data structure on the DLN that contains token commitmentsapproved for addition onto the DLN.
 13. The processor-readable medium ofclaim 8, wherein: the confirmation includes an indication that the tokencommitment is added onto a token commitments data structure on the DLNthat contains token commitments approved for addition onto the DLN, andthe token commitments data structure is a Merkle tree.
 14. Theprocessor-readable medium of claim 8, wherein the instructions toprovide the ZKP includes instructions to provide EY the ZKP that (1) thetoken commitment is generated by hashing the group that includes thestarting value of the countable set, and (2) the counting value of thecountable set is the starting counting value of the countable set. 15.An apparatus, comprising: a processor; and a memory coupled to theprocessor, the memory storing instructions that when executed cause theprocessor to: receive a request that is configured to cause arepresentation of an asset on a distributed ledger-based network (DLN),the asset identified on the DLN by an asset token, generate, in responseto the request, a token commitment to represent the asset on the DLN byhashing a group that includes the asset token and a counting value of acountable set that includes a plurality of counting values configured tocount a number of times a request for recovery is submitted for thetoken commitment, the counting value of the countable set being astarting counting value of the countable set, initialize a public recordof the number of times the request for recovery is submitted for theasset, an initial value of the public record uniquely associated withthe starting counting value, provide, to a self-executing code segmenton the DLN, a zero-knowledge proof (ZKP) that (1) the token commitmentis generated by hashing a group that includes the starting value of thecountable set, and/or (2) the counting value of the countable set is thestarting counting value of the countable set, and receive, in responseto verification of the ZKP by the self-executing code segment, aconfirmation confirming the representation of the asset by the tokencommitment on the DLN.
 16. The apparatus of claim 15, wherein the ZKPincludes that the counting value of the countable set is obtained from apre-determined algorithm configured to compute the starting countingvalue of the countable set.
 17. The apparatus of claim 15, wherein thepublic record is configured to cloak a publicly identifying informationof the asset and/or the asset token.
 18. The apparatus of claim 15,wherein the instructions to cause to the process to receive theconfirmation includes instructions to cause the processor to receive theconfirmation without an identifying information of the asset and/or theasset token being revealed on the DLN.
 19. The apparatus of claim 15,wherein the confirmation includes an indication that the tokencommitment is added onto a token commitments data structure on the DLNthat contains token commitments approved for addition onto the DLN. 20.The apparatus of claim 15, wherein: the confirmation includes anindication that the token commitment is added onto a token commitmentsdata structure on the DLN that contains token commitments approved foraddition onto the DLN, and the token commitments data structure is aMerkle tree.